search

wazuh / wazuh-agent

The Wazuh agent for endpoints.
https://wazuh.com
GNU Affero General Public License v3.0
32 stars 19 forks source link

Remap Inventory Package Fields #308

Closed LucioDonda closed 1 week ago

LucioDonda commented 1 week ago
Related issue
Closes #297

Description

Get the original package inventory fields and renamed them in order to comply with the ECS mapping.

Logs/Alerts example

Body:
{
    "agent": {
        "groups": [],
        "host": {
            "architecture": "x86_64",
            "hostname": "pm-ubuntu24-server",
            "ip": [
                "192.168.0.141",
                "fe80::be24:11ff:fe54:83fb"
            ],
            "os": {
                "name": "Ubuntu",
                "platform": "Linux"
            }
        },
        "id": "03a098ee-ec5d-4658-8daa-721a53ea5cd5",
        "name": "",
        "type": "Endpoint",
        "version": "5.0.0"
    }
}
{
    "id": "aW52ZW50b3J5OnBhY2thZ2VzOiJsaWJjdGYwIjoiMi40Mi00dWJ1bnR1Mi4zIjoiYW1kNjQiOiJkZWIiOiIgIg==",
    "module": "inventory",
    "operation": "create",
    "type": "packages"
}
{
    "package": {
        "architecture": "amd64",
        "description": "Compact C Type Format library (runtime, BFD dependency)",
        "installed": " ",
        "name": "libctf0",
        "path": " ",
        "size": 232,
        "type": "deb",
        "version": "2.42-4ubuntu2.3"
    },
    "scan_time": "2024/11/14 17:58:47"
}

64 base decoding: image (6)

Tests

Running agent against mock server, received propper events with only the packages inventory item enabled.

LucioDonda commented 1 week ago

New resulting JSON:


{
    "data": {
        "@timestamp": "2024/11/15 18:05:48",
        "package": {
            "architecture": " ",
            "description": " ",
            "installed": " ",
            "name": "ufoLib2",
            "path": "/usr/lib/python3/dist-packages/ufoLib2-0.16.0.dist-info/METADATA",
            "size": 0,
            "type": "pypi",
            "version": "0.16.0"
        }
    },
    "id": "aW52ZW50b3J5OnBhY2thZ2VzOnVmb0xpYjI6MC4xNi4wOiA6cHlwaTovdXNyL2xpYi9weXRob24zL2Rpc3QtcGFja2FnZXMvdWZvTGliMi0wLjE2LjAuZGlzdC1pbmZvL01FVEFEQVRB",
    "operation": "create",
    "type": "packages"
}

Decoding: image